An unpatched vulnerability in ChromaDB could allow remote, unauthenticated attackers to spawn a shell and take control of the server process, HiddenLayer reports.
ChromaDB is an open source vector database for building AI applications. It has approximately 13 million monthly pip downloads and is used by high-profile organizations, including Mintlify, Factory AI, and Weights & Biases.
Tracked as CVE-2026-45829 and referred to as ChromaToast, the pre-authentication remote code execution (RCE) flaw could be exploited to leak sensitive information the server has access to, including API keys, environment variables, mounted secrets, and all files on the disk, according to HiddenLayer.
“The root cause of CVE-2026-45829 is two independent failures that compound each other. The server trusts client-supplied model identifiers without restriction, and acts on that trust before authenticating the user sending the request,” HiddenLayer says.
An unauthenticated attacker can trigger the flaw by supplying a malicious HuggingFace model that is executed before authentication checks, providing an attacker with shell access, the cybersecurity firm explains.
HiddenLayer exploited the issue by sending a collection creation request that did not contain credentials but pointed to a crafted HuggingFace model.
“Despite no credentials being provided, the server accepts the request, reaches out to HuggingFace, downloads our model, and executes it. It is only then that the server runs its authentication check and rejects the request,” the company explains.
Successful exploitation of the bug provides the attacker with full control of the server process and with access to everything it can reach.
The vulnerability affects all ChromaDB iterations since version 1.0.0, and roughly 73% of the internet-accessible deployments are affected, HiddenLayer says.
The cybersecurity firm says it has attempted to report the issue to Chroma multiple times via several channels starting February 17, but has received no response. Independent researcher Azraelxuemo says they reported the flaw in November 2025, but received no response either.
While unpatched, CVE-2026-45829 potentially exposes vulnerable ChromaDB deployments to takeover attacks. Restricting network access to ChromaDB to trusted clients only should mitigate the bug, HiddenLayer notes.
“Full remediation in the code would be to move the authentication check before configuration loading and stripping any keys named ‘kwargs’ from requests in both the V1 and V2 create_collection handles. However, this is not patched as of ChromaDB 1.5.8,” the company says.
SecurityWeek has emailed Chroma for a statement on the vulnerability and will update this article if the company responds.
Related: PoC Released for DirtyDecrypt Linux Kernel Vulnerability
Related: Critical Vulnerability Exposes Industrial Robot Fleets to Hacking
Related: Exploitation of Critical NGINX Vulnerability Begins
Related: Hackers Targeted PraisonAI Vulnerability Hours After Disclosure
